Re: [fw-wiz] Firewalls that generate new packets..

Hi Kelly,

Lets say I am kind of disappointed. I figured that your question kick
off a "proxy" versus "everything else" type "discussion". It didn't .
Ah the 90s.... good times good times...

What I believe you are referring too when you talk about "generate a
new packet ... " is a proxy firewall. This is a piece of code that
will take the original packet, suck out the contents, (the content may
be inspected at this point but rarely happens), build a new packet,
blow the content back into the new packet, and send it along its way
(assuming it meets other criteria such as being allowed, valid, etc).
Commercial examples of this type of firewall are Sidewinder or
Symantec Enterprise Firewall (formally known as Raptor). The other
type of firewall (and market leader) would be "stateful". Examples of
this would be Checkpoint, Pix (ASA), and pretty much every kitchen
appliance these days.

What would be the advantage of this approach? Well - the primary
advantage would be that there is no "direct" path to the service that
you need to talk to. This is helpful especially in the days where IP
stacks were poorly written and attacks against them were more
realistic. If you use an application specific proxy (http, smtp, etc)
then you have an improved level of packet validation. This could be
helpful to protect against potential unknown attacks against
applications. There are a few more but I don't think they are that

What would be a disadvantage? Some say performance. I never bought
that argument. Its a sizing issue. The firewalls I've dealt with
that handled the highest amount of packets were proxies. Other say
price. This is a true argument - commercial proxy firewalls were
traditionally a higher pricepoint than their stateful counterparts.

I've done a lot of firewall conversions in the last few years. The
primary reason organizations cited as a reason to move away from proxy
firewalls was management. If you have to manage more than, say, one
firewall - the management interfaces of the two market leaders in the
proxy space have always fallen down (read: royally sucks). Checkpoint
has always done a better job at this. And organizations like the
familiarity of the Pix (ASA) because everything else they have are
Cisco devices. Whether its a better option in "securing" whatever you
are trying to "secure" rarely enters the discussion.

In the end, stateful and proxy firewalls will both do the job that we
ask firewalls to do and are only one component of an overall security

cue "discussion"


On Nov 13, 2007, at 9:58 PM, Kelly Robinson wrote:

Some firewalls, after receiving a packet, generate a new packet and
populate it with data from the original, rather than forwarding the
same packet that was received. What are the advantages and
disadvantages of this approach? And does anyone have any examples of
any firewalls that do this on the market?


- k
firewall-wizards mailing list

firewall-wizards mailing list